The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency have issued an advisory regarding the evasive threat actor identified as Scattered Spider, a loosely knit hacker collective now collaborating with the Russian ALPHV/BlackCat ransomware operation .
Scattered Spider, also known as 0ktapus, Starfraud, UNC3944, Scatter Swine, Octo Tempest and Muddled Libra, is adept at social engineering and relies on phishing, multi-factor authentication (MFA) bombing (fatigue Targeted MFA) and SIM card swapping to gain initial network access in large organizations.
The group includes young English-speaking members (as young as 16) with diverse skills who frequent the same hacker forums and Telegram channels.
Some members are also believed to be part of “Comm”, a loosely knit community involved in violence and cyber incidents that has recently received media attention.
Contrary to the general belief that it is a cohesive gang, it is a network of individuals, with different threat actors participating in each attack. This fluid structure makes them difficult to follow.
However, according to Reuters reporters, the FBI knows the identities of at least 12 members of the group but none have yet been charged or arrested.
Scattered Spider attacks have been documented since last summer, when researchers at cybersecurity firm Group-IB published a report on a series of attacks aimed at stealing Okta identity credentials and 2FA codes, which had started in March of the same year.
In December 2022, CrowdStrike presented the threat actor as a financially motivated group targeting telecommunications companies, employing high-level social engineering tactics, defense reversal, and a rich set of software tools.
In January 2023, Crowdstrike discovered that Scattered Spider was using Bring Your Own Vulnerable Driver (BYOVD) methods to evade detection by endpoint Detection and Response (EDR) security products.
Most recently, in September of this year, two high-profile attacks against MGM Casino and Caesars Entertainment were attributed to Scattered Spider, where malicious actors used the BlackCat/ALPHV locker to encrypt systems.
The threat actor’s past activities include attacks on MailChimp, Twilio, DoorDash, and Riot Games.
An October report from Microsoft, which calls them Octo Tempest, says they are one of the most dangerous financial crime groups and are known to use violent threats to achieve their goals.
The researchers’ findings on the group’s variety of attack methods indicate that its members possess knowledge that spans different areas of cybercrime, from social engineering and hacking to SIM swapping, phishing and bypassing connection protections.
Scatter Spider Tactics
The FBI and CISA alert highlights Scattered Spider’s powerful initial access tactics of targeting a company’s employees by posing as IT or support staff and tricking them into providing credentials or even direct network access.
Individual tactics include phone calls, SMS phishing, email phishing, MFA fatigue attacks, and SIM swapping. Domains used for email and SMS phishing misuse the Okta and Zoho ServiceDesk brands combined with the target’s name to make them appear legitimate.
Having gained a foothold on the network, Scattered Spider uses a range of publicly available software tools for reconnaissance and lateral movement, including:
- Fleetdeck.io: Remote system monitoring and management
- Level.io: Remote system monitoring and management
- Mimikatz: Extracting credentials
- Ngrok: Remote web server access via Internet tunneling
- Pulsed channel: Remote system monitoring and management
- Connection to the screen: Managing remote connections of network devices
- Splashtop: Managing remote connections of network devices
- Tactical.RMM: Remote system monitoring and management
- Rear ladder: VPN for secure network communications
- Team Viewer: Managing remote connections of network devices
Apart from the above legitimate tools used for malicious purposes, Scattered Spider also conducts phishing attacks to install malware such as WarZone RAT, Raccoon Stealer and Vidar Stealer, in order to steal login credentials, cookies and other data useful in the attack on compromised systems.
A new tactic seen in the malware group’s recent attacks is data exfiltration and file encryption using ALPHV/BlackCat ransomware, followed by communication with victims via a messaging app, email or other secure tools to negotiate ransom payment.
Scattered Spider actors affiliated with BlackCat are also known to use the ransomware gang’s data leak site as part of their extortion attempts, where they leak data or post statements, as happened with their attack on Reddit.
Scattered Spider shows particular interest in valuable assets such as source code repositories, code signing certificates, and credential storage.
Additionally, attackers closely monitor the victim’s Slack channels, Microsoft Teams, and Microsoft Exchange emails for messages containing indications that their activities have been discovered.
“Threat actors frequently participate in incident resolution and response calls and conference calls, which can identify how security teams are tracking them and proactively develop new intrusion pathways in response in defense of victims” – Federal Bureau of Investigation
The agency adds that cybercriminals achieve this “by creating new identities in the environment” who often have fake social media profiles for a false sense of legitimacy.
The FBI and CISA recommend implementing specific mitigation measures to protect against threats imposed by Scattered Spider.
The main recommendations of the opinion propose to:
- Use “allowlist” application controls to manage software execution.
- Monitor remote access tools and implement phishing-resistant multi-factor authentication (MFA).
- Secure and limit the use of Remote Desktop Protocol (RDP) with best practices and MFA.
- Maintain offline backups and follow a robust data recovery plan.
- Follow NIST standards for strong, less frequently changed passwords.
- Keep systems and software regularly updated, focusing on fixing vulnerabilities.
- Implement network segmentation to control traffic and prevent the spread of ransomware.
- Use network monitoring and endpoint detection and response (EDR) tools to detect abnormal activity.
- Improve email security by disabling risky links and encrypting backup data.
Finally, organizations are advised to test and validate their security controls against the MITER ATT&CK techniques described in the advisory.
Gn En bus